FBI warns of KeySweeper keystroke loggers disguised as USB phone chargers

The FBI is warning actors in the private sector about a rapid diffusion of stealthy keystroke loggers disguised as USB phone chargers.

The FBI issued a Private Industry Notification warning of the abuse of KeySweeper components that are able to sniff everything users type into wireless keyboards. I have written about KeySweeper around 15 months ago when the creator, the ingenious Samy Kamkarreleased the project.

“KeySweeper is a covert device that resembles a functional Universal Serial Bus (USB) enabled device charger which conceals hardware capable of harvesting keystrokes from certain wireless keyboards”  reads the FBI’salert.” If placed strategically in an office or other location where individuals might use wireless devices, a malicious cyber actor could potentially harvest personally identifiable information, intellectual property, trade secrets, passwords, or other sensitive information. Since the data is intercepted prior to reaching the CPU, security managers may not have insight into how sensitive information is being stolen.”

Samy Kamkar designed a cheap USB wall charger that can eavesdrop on almost any Microsoft wireless keyboard, KeySweeper is a stealthy Arduino-based device that works like a generic USB mobile charger, but he has the capability to sniff, decrypts and send back keystrokes from a Microsoft wireless keyboard in the vicinity. KeySweeper can send captured data back to the operator over the Internet or using an optional GSM chip.

The KeySweeper also includes a web-based tool for live keystroke monitoring, it could be used by an attacker to send back SMS alerts triggered by specific typed keystrokes, like usernames or URLs. While the device is logging the keystrokes he is able to continue working, it will continue to sniff data also after it is unplugged because of its rechargeable built-in battery. KeySweeper is able to store the sniffed keystrokes both online and locally on the device.usernames or URLs. While the device is logging the keystrokes he is able to continue working, it will continue to sniff data also after it is unplugged because of its rechargeable built-in battery. KeySweeper is able to store the sniffed keystrokes both online and locally on the device. KeySweeper is able to store the sniffed keystrokes both online and locally on the device.

Coordinated raids across stores in Japan that result in the theft of $13m from ATMs in just three hours.

Cybercrime doesn’t know boundaries, and in many countries, security experts are observing a rapid evolution of illegal phenomena on the web.

The Japan actually hosts one of the most interesting underground communities, a criminal online community that is growing in a significant way despite it has a still highly stealthy underground economy. According to the Japan’s National Police Agency cybercriminal activities until March 2015 increased 40% over the previous year.

News of the day is that criminals have stolen a total of 1.4 billion yen (roughly $12.7 million) in cash from some 1,400 ATMs in convenience stores across the Japan. The figures are more interesting if we consider that the money was stolen in just a couple of hours earlier this month. The theft at convenience store ATMs took place in the morning of May 15 in Tokyo and 16 prefectures across the Japan.

It is still not clear how and when the cyber criminals have stolen the card data from the  South African bank. According to local law enforcement a criminal organization has withdrawn the cash from the ATMs by using cloned payment cards that were forged with data stolen from a South African bank.

Japanese authorities are investigating the case alongside the South African authorities through the International Criminal Police Organization.

Clearly authorities are facing a coordinated attack that likely involved many people, the Japanese investigators believe over 100 people might have been involved in the illicit withdrawal.

Further information about the criminal operations reveals that there were completed approximately 14,000 transactions, the maximum amount of money that was stolen by criminals is 100,000 yen and it was withdrawn from Seven Bank ATMs using the fake credit cards.

The analysis of the ATM transaction logs, suggests that attackers used data from 1,600 credit cards issued by a South African bank.

Android Trojan Steals Credit Card Info, Locks Devices Remotely

A new Android banking Trojan capable of spying on users and stealing credit card info is achieving persistency on infected devices by asking for device administrator rights and continuously showing the dialog window until the user gives in.

Researchers at Avast warn that the new Banker Trojan relies on social engineering and employs various evasion techniques in an attempt to remain undetected on the compromised devices.

The malicious program is installed on the infected devices under different names, including AVITO-MMS, KupiVip and MMS Центр (MMS Center), depending on the sample. After installation, an app icon is placed in the launcher, but the icon is hidden after the program’s first run, to make the Trojan more elusive.

The malware also checks whether it runs in an emulator, and, if it doesn’t, it starts a background timer that shows the Device Admin activation dialog in a continuous loop, even if the user presses the “Cancel” button. However, the dialog disappears if the user gives in and enables device administrator rights for the app. After gaining admin rights, the malware repeats the process, but for setting the default SMS manager app. By gaining device admin rights, the Trojan makes it more difficult for users to uninstall it, while also allowing its operators to remotely lock the device, researchers say.

On smartphones running under Android Marshmallow, users can try to uninstall the application despite the continuous flood of request dialogues, by going to settings with the top-down swipe. Owners of devices running under Android KitKat, however, aren’t as fortunate and can get rid of the malware only after a factory reset.

The Trojan was designed to send information about the device to the command and control (C&C) server, to intercept incoming SMS messages and send them to the server, and to receive further commands from its operators.

The information sent to the C&C server includes device IMEI, ISO country code, SIM operator name, Android build version, Phone number, SIM serial number, info on whether the app has admin rights and if it is the default SMS app, the current version number of the Trojan, and generated unique user ID for the phone.

Upon command, the Trojan can display a fake Google Play window on the infected device, prompting the victim to enter their credit card information. The malware also supports commands for downloading an APK and prompting the user to install it, locking the screen, and redirecting calls to a specific number. Moreover, it can get call logs, SMS inbox, bookmarks, contacts, a list of installed apps, and GPS coordinates of the device and send them to the C&C server.

According to Avast, the Trojan was most active in the first half of February, and it was targeting making users in Russia, followed by Germany, the U.S. and Czech Republic.

To stay protected, users should make sure they have an anti-malware program installed on their devices, and should also keep their data backed up at all times. Should the infection occur, however, users might be forced to reset their devices to factory settings to remove all installed apps and user data, including the malware.

Some of the most recent Android banking Trojans spotted in the wild include Asacub, which evolved from a spyware Trojan to a backdoor and then a banking malware, SlemBunk, a continuously evolving piece of malware, with 170 samples identified in mid-December to target users of 33 banking applications worldwide, and Xbot, which exhibits multiple malicious activities, ranging from stealing banking credentials and credit card information, to encrypting files on external storage.

ATMs 'vulnerable' to cyber hacking

Cape Town – Bank ATMS are vulnerable to hacking because of outdated software, a global security firm has found.

Security outfit Kaspersky Lab has discovered that ATMs are vulnerable to hacks because many run the Windows XP operating system which is no longer supported by Microsoft.

The company conducted penetration testing as well as investigations into bank heists to determine the possibility of breaching bank digital defences.

“The results of our research show that even though vendors are now trying to develop ATMs with strong security features, many banks are still using old insecure models and this makes them unprepared for criminals actively challenging the security of these devices,” said Olga Kochetova, security expert at Kaspersky Lab’s Penetration Testing department.

In SA, many criminals target ATMs with bombings and card skimmings to steal money.

Malware theft

However, Kaspersky said that malicious software was also becoming an ideal vehicle for criminals to compromise ATMs.

The company identified a gang dubbed Carbanak in 2015 which stole an estimated $1bn from over 100 financial institutions in a carefully orchestrated spear phishing attack.

READ: Cyber bank robbery nets a billion

Tyupkin malware (Backdoor.MSIL.Tyupkin) on ATMs was discovered in 2014. Through the use of the malware, cyber criminals are able to empty ATM cash cassettes through direct manipulation.

But the malware has built-in security features that make it difficult to detect and remove: It only functions at specific times at night and operates with a key generated for every session.

READ: This is how crooks get into your bank account

Because Microsoft has ceased support for Windows XP, ATMs may remain vulnerable, said Kaspersky.

“In the vast majority of cases, the special software that allows the ATMs PC to interact with banking infrastructure and hardware units, processing cash and credit cards, is based on XFS standard. This a rather old and insecure technology specification, originally created in order to standardise ATM software, so that it can work on any equipment regardless of manufacturer,” the company added.

WhatsApp’s end-to-end encryption isnt as private as you might think

WhatsApp trumpeted the roll out of end-to-end encryption for its messaging service. The world rejoiced.

With events such as the battle between Apple and the FBI turning attention to encryption, the announcement was well-timed to ride the crest of the wave. But it seems that for all of the bluster and bravado, the news about extra protection may not be quite as good as it seems.

Analysis of WhatsApp’s privacy documentation reveals that the Facebook-owned company retains a huge amount of data about messages that are sent. If this all sounds familiar, it’s because the retention of metadata is precisely what the NSA was (is?) up to, trawling web communications and upsetting Edward Snowden and privacy advocates around the world. WhatsApp’s encryption and policies mean that those who are concerned about their privacy should not rest on their laurels.

The end-to-end encryption now employed by WhatsApp may mean that it – and third parties – do not have access to the contents of messages that are sent, but it does still know a great deal of potentially privacy-invading information about communication. Included in the data that WhatsApp ‘may retain’ (which, it’s fair to assume, can be read as ‘does retain’) is information about who has communicated with whom, when this communication took place and the intriguingly worded ‘any other information which WhatsApp is legally compelled to collect’.

The privacy section of WhatsApp’s Terms of Service says:

“WhatsApp may retain date and time stamp information associated with successfully delivered messages and the mobile phone numbers involved in the messages, as well as any other information which WhatsApp is legally compelled to collect. Files that are sent through the WhatsApp Service will reside on our servers after delivery for a short period of time, but are deleted and stripped of any identifiable information within a short period of time in accordance with our general retention policies.”

The Apple vs FBI case-that-never-was has highlighted the fact that even when encryption is in place, it is certainly no guarantee that data cannot be accessed by law enforcement agencies. WhatsApp’s connection with Facebook – a social network that gathers huge amounts of information about its users not only in the interests of personalisation, but also for ad-tailoring – coupled with the privacy policy will do little to quell the fears of those concerned about snooping into their correspondence.

End-to-end encryption is a step in the right direction, but it is far from being the end of the story when it comes to privacy.